Search

How can we help?

Icon

Recognising DSARs: top tips for organisations

The UK GDPR grants Data Subjects, who are the individuals to whom the personal data relates, rights over their personal data, including the rights of access, correction and erasure.

A DSAR is a request made by a Data Subject for access to their personal data which an organisation holds on them.

Why do organisations need to recognise a DSAR?

Organisations have a legal responsibility to identify and correctly handle any DSARs made by individuals and must comply without undue delay and at the latest within one month of receipt of the request (though there is an ability to extend this to three months in certain circumstances where the request is deemed ‘complex’). It is therefore crucial that organisations are able to identify a DSAR.

There are no formal requirements for a valid DSAR to be made, as long as it is clear that an individual is asking for their own personal data. Therefore, an individual can make a valid DSAR:

  • Verbally, or in writing.
  • To anyone or any part of the organisation.
  • Without including the phrase “data subject access request”, or “right of access”.
  • Without referring to Article 15 of the UK GDPR.
  • Without telling the organisation the reason for making the request or what they intend to do with the information.
  • Via any social media site where an organisation has a presence.
  • On behalf of someone else (as long as the organisation is satisfied that the third party is entitled to act on behalf of the individual and has provided evidence of this, for example written authority signed by the Data Subject).
  • Via a third party online portal (as long as the organisation is satisfied that that the third party is entitled to act on behalf of the individual. An organisation is not obliged to take proactive steps to discover the DSAR, for example they will not be required to pay a fee or sign up to a service to receive a DSAR. If an organisation has concerns about the request, they can contact the individual directly before responding to the third party).
  • About a child (if an organisation considers that the child is able to understand their rights they can respond directly to the child, however an organisation may allow the parent or a guardian to exercise the right on behalf of their child if the child has authorised this or if it is in the best interests of the child).
  • If they mistakenly refer to a Freedom of Information Request (as long as the request relates to the individual’s personal data it must be treated as DSAR).
Jesse Akiwumi

Trainee Solicitor

View profile

+44 118 960 4662

A DSAR is a request made by a Data Subject for access to their personal data which an organisation holds on them.

How can organisations prepare for and effectively recognise DSARs?

Standard forms

Providing a standard form for individuals to make a request can make it easier for organisations to recognise a DSAR.  The UK GDPR recommends that organisations provide means for requests to be made electronically, particularly if the personal data is held and processed in electronic means. Organisations should therefore consider providing an electronic DSAR form that individuals can submit online. Organisations cannot, however, make it compulsory to use the standard form as individuals can still submit valid DSARs in other written forms or verbally.

Training of employees

As DSARs can be made in a variety of ways, it is important that organisations effectively train all of their employees to be able to recognise a DSAR when one is received. Organisations may provide specific training to certain members of staff who are more likely to receive these requests, for example employees that interact with the public directly. There should be clear systems and policies in place for employees to report a DSAR and employees should know the next steps in dealing with such requests.

Record keeping

Organisations should have policies and procedures in place for recording details of any DSARs received, this will be especially useful for DSARs that are made verbally over the phone or in person. Strong record keeping systems will help organisations keep track of DSARs, which in turn will help the organisation deal with the request within the relevant timeframe, help the organisation understand the individual’s request and also minimise the risk of any later disputes.

Adequate information management systems

It is important for organisations to have clear information management systems in place, as this will help in identifying and extracting any personal information that is requested in a DSAR. Strong management systems, for example standardised file naming for electronic documents and clear retention policies for the storage and deletion of data, will enable organisations to respond to DSARs in a time efficient manner and can lighten the administrative burden that is often associated with responding to such requests.

If you require further assistance on DSARs please contact a member of our data protection team who will be more than happy to help.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jesse Akiwumi

Trainee Solicitor

View profile

+44 118 960 4662

About this article

Read, listen and watch our latest insights

Pub
  • 10 February 2025
  • Privacy and Data Protection

Frequently asked questions on data retention

In this podcast, Jesse Akiwumi and Harry Berryman, members of the Data Protection team at Clarkslegal, address the top frequently asked questions we receive about data retention.

art
  • 06 February 2025
  • Privacy and Data Protection

Cookies and Consent: the ICO’s Cookie Review

In the digital age, cookies play a crucial role in how websites operate and interact with users.

art
  • 24 January 2025
  • Privacy and Data Protection

UK Data Protection: A look back at 2024 and what to expect in 2025

On 15 January 2025, Louise Keenan and Shauna Jones hosted our webinar “UK Data Protection: what happened in 2024 and what’s in store for 2025.” Our webinar is available for you to watch, but in this article, we will provide a brief summary of what was discussed.

art
  • 20 January 2025
  • Employment

AI Opportunities Action Plan – The impact of AI on employment

The Government has announced its ‘AI Opportunities Action Plan’ in which it plans to increase the use of AI across the UK to ensure the UK is a world leader in the field. 

art
  • 16 January 2025
  • Corporate and M&A

Business Asset Disposal Relief: Changes to CGT Relief and the Consequences for Business Owners

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

Pub
  • 10 January 2025
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.